DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1340: MobileIron Maiden: The Unauthenticated RCE in Ivanti EPMM

#security #cve #cybersecurity

MobileIron Maiden: The Unauthenticated RCE in Ivanti EPMM

Vulnerability ID: CVE-2026-1340
CVSS Score: 9.8
Published: 2026-01-29

It's becoming a tradition, isn't it? Every few months, the security community gathers around the bonfire to warm their hands over another burning edge appliance. This time, Ivanti Endpoint Manager Mobile (EPMM)—the artist formerly known as MobileIron Core—is back in the spotlight. CVE-2026-1340 is a Critical (CVSS 9.8) Unauthenticated Remote Code Execution vulnerability that allows any script kiddie with a curl binary to execute arbitrary commands as the web server user.

Disclosed in late January 2026 alongside its twin, CVE-2026-1281, this flaw was exploited in the wild as a zero-day. The vulnerability lies deep within the application distribution logic, specifically in how the appliance handles 'fob' objects. If you are running EPMM 12.7 or older and haven't applied the emergency RPMs, your MDM server essentially has a 'Welcome' mat deployed to the entire internet.

TL;DR

Unauthenticated RCE in Ivanti EPMM (formerly MobileIron) via the /mifs/c/appstore/fob/ endpoint. Exploited in the wild as a zero-day. CVSS 9.8. Patch immediately using the vendor-supplied RPMs.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CVSS: 9.8 (Critical)
  • CWE: CWE-94 (Code Injection)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploit Status: Active / Zero-Day
  • Attack Vector: Network (Unauthenticated)
  • Endpoint: /mifs/c/appstore/fob/

Affected Systems

  • Ivanti Endpoint Manager Mobile (EPMM) 12.7.0.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.6.0.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.5.0.0
  • MobileIron Core (Older versions)
  • Ivanti EPMM: <= 12.7.0.0 (Fixed in: RPM Patch / 12.8.0.0)

Exploit Details

  • AttackerKB: Community analysis of the exploitation vectors and payload specifics.

Mitigation Strategies

  • Restrict access to /mifs/ interface to trusted networks where possible
  • Apply vendor-supplied RPM patches immediately
  • Implement WAF rules to block requests containing shell metacharacters in the URL
  • Monitor for 404 errors on specific endpoints

Remediation Steps:

  1. SSH into the Ivanti EPMM appliance.
  2. Download the appropriate RPM for your version (12.x.0.x or 12.x.1.x).
  3. Install the RPM: 'rpm -Uvh [patch_name].rpm'.
  4. Verify installation using 'rpm -qa | grep ivanti'.
  5. Restart the tomcat/httpd services if required by the patch instructions.
  6. WARNING: Re-apply this patch if you upgrade the appliance version before 12.8.0.0.

References

Read the full report for CVE-2026-1340 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)